Attacker Impact
An unauthenticated remote attacker can bypass authentication and log in as any registered user or administrator on the IRC network [S1]. By spoofing the TLS certificate fingerprint of a target user, the attacker gains unauthorized access to private channels and administrative privileges [S1].
Root Cause
The vulnerability exists in the SASL authentication module of UnrealIRCd [S1]. Due to insufficient validation of the parameters passed during SASL authentication, the application incorrectly trusts a user-supplied certificate fingerprint rather than verifying it against the actual TLS session data [S1]. This allows an attacker to supply a crafted parameter containing the target user's certificate fingerprint, leading to successful authentication bypass [S1].
Affected Versions
This vulnerability affects the following versions of UnrealIRCd:
- UnrealIRCd versions prior to 3.2.10.7 [S1]
- UnrealIRCd 4.x versions prior to 4.0.6 [S1]
Concrete Fixes
- Upgrade UnrealIRCd: Update the UnrealIRCd server to version 3.2.10.7, 4.0.6, or any later release where the SASL module has been patched to properly validate certificate fingerprints against the active TLS connection [S1].